In a groundbreaking opinion, the European Court of Justice (CJEU) ruled this week that the European Union’s Data Retention Directive is invalid. The court found that the directive infringed on the rights to privacy and data protection guaranteed in the EU’s Charter of Fundamental Rights to a degree that exceeded the limits of the principle of proportionality. (Proportionality is a key concept in European law, requiring that governmental acts be appropriate for attaining the legitimate objectives at issue and not exceed the limits of what is necessary in order to achieve those objectives – somewhat comparable to the “least intrusive means” test in U.S. law.)

CDT and its allies have long opposed data retention mandates because such laws threaten rights to privacy and free expression. The decision this week by the CJEU could mark an important turning point in a global debate over data retention mandates.

The EU’s 2006 directive required communications services and network providers to store transactional data about users to help law enforcement fight serious crime, including terrorism and organized crime. The CJEU examined the directive at the request of the High Court of Ireland and the Constitutional Court of Austria after local cases were brought challenging national laws implementing the directive. The CJEU examined the validity of the directive with respect to two provisions of the Charter of Fundamental Rights of the EU: the right to respect for private life in Article 7 and the right to the protection of personal data in Article 8.

In its decision, the court ruled that “the directive interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data.” Not all interferences, however, are invalid, and the court found that the directive’s data retention requirements were appropriate for the objective of fighting serious crime. However, the court found that the directive’s provisions are not narrowly tailored enough to ensure that such a “wide-ranging and particularly serious interference” with human rights is limited to activity that is strictly necessary. While the decision did not hold that data retention is always impermissible, it seems difficult to imagine a data retention law that would comply with the criteria identified by the court.

Supporters of the EU data retention directive, like supporters of the U.S. government’s bulk telephony data program, had stressed that the directive applied only to communications metadata, which included identifying information about the user, as well as the date, time, duration of the communication, IP addresses, and the location of mobile phones. The directive did not require retention of the content of communications. The court nonetheless found the directive to be a “particularly serious” infringement on privacy and contrary to human rights standards. This supports arguments made by CDT and many other advocates that metadata can reveal deeply personal details about a person’s private life and should receive a high level of legal protection from government spying.

One point made in the decision raises a potential flag for the broader data privacy and security debate: In critiquing the directive’s shortcomings, the court notes that “the directive does not require the data in question to be retained within the European Union” and concludes that this means the Charter’s requirement for an independent authority to oversee compliance with privacy and security protections could not be satisfied. This statement could be read as suggesting that one way to cure the defects in the data retention mandate would be to require that the data be stored locally. More broadly, it could suggest that the CJEU favors local storage as a data protection measure and possibly even one that is required under the Charter. CDT does not support the court going down that path, as data localization mandates could have negative consequences for the open Internet, innovation, and, ultimately, freedom of expression.

Still, this CJEU decision is particularly important from the perspective of global legal norms, because the EU had been a world leader in the push towards data retention mandates and has probably had significant influence on the practices of other countries that have followed suit. The court’s ruling on the EU directive may influence other countries to reconsider such harmful mandates. The pushback against data retention mandates gained momentum when the constitutional courts of several EU member states held unconstitutional the national laws implementing the EU mandate. In the United States, the Justice Department has long pursued a US retention mandate and legislation has been periodically introduced, but Congress has consistently declined to advance such legislation.

Within the EU, the decision quite possibly represents the most significant privacy reform since the Snowden leaks began, and perhaps the most significant in many years. Clearly, it marks the full emergence of the Court of Justice of the European Union as a leading human rights institution willing to scrutinize EU legislation that expands governmental powers in ways affecting individual rights.

The court’s analysis of the data retention directive also seems very relevant to the ongoing debates about the bulk surveillance programs of the UK and other European countries that have been disclosed in the past year. The court found that the data retention directive is lacking in terms of proportionality, specificity, and controls on the use of the data. The court concluded, “It must therefore be held that Directive 2006/24 entails a wide-ranging and particularly serious interference with those fundamental rights in the legal order of the EU, without such an interference being precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary.” The same reasoning would seem to apply to many surveillance practices of the EU member states.